Method and system for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis

ABSTRACT

An apparatus, a method, and a computer program are provided for distinguishing relevant security threats. With conventional computer systems, distinguishing security threats from actual security threats is a complex and difficult task because of the general inability to quantify a “threat.” By the use of an intelligent conceptual clustering technique, threats can be accurately distinguished from benign behaviors. Thus, electronic commerce, and Information Technology systems generally, can be made safer without sacrificing efficiency.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to network security and, moreparticularly, to the use of conceptual clustering in order to determineand eliminate potential security threats.

2. Description of the Related Art

Due to the increased reliance on Information Technology (IT) in thepresent business arena, there is an ever-increasing need to protect theIT infrastructure. In protecting the IT infrastructure, Network Securityhas become a paramount issue. There is a need to protect the ITinfrastructure for a variety of reasons, such as to limit down-time andprovide secure data transmission.

However, implementation of security measures is not a simple task. Foran IT system, the basic approach to security is to monitor trafficacross the IT network to identify patterns that indicate systemintrusion. There are a variety of methodologies that may be employed toidentify intrusion patterns, such as regression analysis and certaininductive techniques. Generally, the security approaches monitor usagebehaviors and requests of network ports and resources in order todetermine potential intrusion risks. For example, certain requests atcertain times of day or night can be indicative of a system attack.Thus, pattern analysis can be employed to make such determinations.However, methods of attacks are neither finite nor static. Instead,methods of attacks change. Hence, pattern analyses must be updated to atleast maintain equal footing or at least a semblance of parity withthose who mean to cause harm to the IT infrastructure.

In addition, as the volume of events occurring on a network increasesrelative to a generally lower volume of actual intrusions, thedifficulty in determining threats correspondingly increases. The spacecan be simplified, but if the space is too general, the patterns willtrigger false positives, needlessly interrupting system operation,wasting management resources and degrading system reliability.

Therefore, a need exists for a method and/or apparatus for utilizingqualitative and quantitative measurements to improve the degree ofaccuracy in analyzing potential security risks that addresses at leastsome of the problems associated with convention methods and apparatusesassociated with current security algorithms.

SUMMARY OF THE INVENTION

The present invention provides an apparatus for determining computersecurity threats to an Information Technology (IT) infrastructure. Anetwork scanner utilizes at least one taxonomy to determine a possibleintrusion. An intrusion detector detects at least one actual intrusion.A false-positive/true-positive (FPTP) detector compares the determinedpossible intrusion with the detected actual intrusion to update thetaxonomy.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and theadvantages thereof, reference is now made to the following descriptionstaken in conjunction with the accompanying drawings, in which:

FIG. 1 is a block diagram depicting a sample taxonomy;

FIG. 2 is a block diagram depicting a system for distinguishing relevantsecurity threats; and

FIG. 3 is a flow chart depicting a method of distinguishing relevantsecurity threats.

DETAILED DESCRIPTION

In the following discussion, numerous specific details are set forth toprovide a thorough understanding of the present invention. However,those skilled in the art will appreciate that the present invention maybe practiced without such specific details. In other instances,well-known elements have been illustrated in schematic or block diagramform in order not to obscure the present invention in unnecessarydetail. Additionally, for the most part, details concerning networkcommunications, electromagnetic signaling techniques, and the like, havebeen omitted inasmuch as such details are not considered necessary toobtain a complete understanding of the present invention, and areconsidered to be within the understanding of persons of ordinary skillin the relevant art.

It is further noted that, unless indicated otherwise, all functionsdescribed herein may be performed in either hardware or software, orsome combinations thereof. In a preferred embodiment, however, thefunctions are performed by a processor such as a computer or anelectronic data processor in accordance with code such as computerprogram code, software, and/or integrated circuits that are coded toperform such functions, unless indicated otherwise.

Referring to FIG. 1 of the drawings, the reference numeral 100 generallydesignates block diagrams depicting a sample taxonomy. The taxonomy 100comprises a first level 120, a second level 122, a third level 124, anda fourth level 126. The first level 120 further comprises a day of theweek category 102. The second level 122 further comprises a weekendcategory 104 and a workday category 106. The third level furthercomprises a Saturday category 108, a Sunday category 110, a Mondaycategory 112, and a Friday category 114. The fourth level 126 furthercomprises a first timestamp t1, a second timestamp t2, and a thirdtimestamp t3.

In forming the taxonomy, each of the varying levels are interrelated.Each of the timestamps t1, t2, and t3 occur at a specific time of theweek. Therefore, each timestamp t1, t2, and t3 can be categorized as aspecific day of the week, such as Saturday 108, and can be categorizedas time of the week, such as a weekend 104. In other words, each of thesubsequent levels are a single or multiple subsets of the previouslevels.

Correspondingly, numerical values can be tied to each timestamp t1, t2,and t3 for the subset for which the timestamp belongs. This type ofcategorization is known as a “cluster” and its formulation is known as“clustering.” The numerical values can then be used to determine threatlevels. Security analyses typically require correlating combinations andsequences of events with a known intrusion. Because the number ofpossible combinations and sequences is enormous, it can be extremelydifficult to identify useful patterns. Cluster analyses that utilizetaxonomies, such as the sample taxonomy of FIG. 1, are an effectivedata-reduction tool for reducing the number of possible combinations andsequences to a size handled more quickly in real time. Clustering seeksto group objects into categories or clusters, wherein objects of acategory have similar features.

Most pattern analyses work very well using quantitative or numericmeasures of similarity and difference. However, many useful measures andpatterns are qualitative or subjective, and therefore, do not haveproperties that make them readily amenable to measures of similarity ordifference. For example, quantitative measures are difficult to applyconsistently in determining the degree of similarity between a banana, arock, and a yo-yo.

If a common measurement is considered in security, such as an IP address(e.g. 9.8.765.43), this “number” actually represents an identity.Different IP addresses can have different properties which can bemeaningful from a security standpoint. For example, they represent aparticular IP provider, a particular geography or day of the week, ifthe address is dynamic, as in FIG. 1.

Referring to FIG. 2 of the drawings, the reference numeral 200 generallydesignates a block diagram depicting the system of distinguishingrelevant security threats. The system 200 comprises a computer network201, an Information Technology Computer (IT) Infrastructure 203, aserver and intrusion detector 204, and a False Positive/True PositiveDetector 205.

The computer network 201 is coupled to the Network Scanner 202 through afirst communication channel 210. Also, the computer network 201 iscoupled to the IT Computer Infrastructure 203 through a secondcommunication channel 211. The computer network 201 may comprise anytype, including, but not limited to, the Internet. Moreover, any of theaforementioned communications channels would encompass wireless links,packet switched channels, circuit switched or direct communicationchannels, any other channel of information transfer, as well as anycombination of such channels. Furthermore, any of the aforementionedcommunication channels may be coupled to each component through multiplecommunications channels or a single communication channel, as shown inFIG. 2.

The network scanner 202 is another element of the system 200. Thenetwork scanner 202 provides threat assessment analysis of the ITComputer Infrastructure 203. The network scanner 202 is coupled to theIT Computer Infrastructure 203 through a third communication channel212. The network scanner is also, coupled to the computer network 201through the first communication channel 210. The network scanner 202 isadditionally coupled to the false positive/true positive detector 205through a fourth communication channel 213. Through simulation ofattacks and a variety of other techniques, the network scanner is ableto determine possible patterns for attacks. In other words, the networkscanner 202 organizes observable data into meaningful structures ordevelops taxonomies. For example, detected usage from a specific companymay not be useful in and of itself, but in conjunction with other data acorrelation may be developed that corresponds to an attack. There are anumber of services that provide network scanning and develop taxonomies,such as CycSecure® (a registered trademark and product of Cycorp, Inc.,Suite 100, 3721 Executive Center Drive, Austin, Tex. 78731). Moreover,any of the aforementioned communications channels would encompasswireless lines, packet switched channels, direct communication channels,and any combination of the three. Furthermore, any of the aforementionedcommunication channels may be coupled to each component through multiplecommunications channels or a single communication, as shown in FIG. 2.

The IT Computer Infrastructure 203 is a component in need of protection.The IT Computer Infrastructure 203 is coupled to the computer networkthrough the second communications channel 211. Also, the IT ComputerInfrastructure 203 is coupled to the network scanner 202 through a thirdcommunication channel 212. The IT Computer Infrastructure 203 is alsocoupled to the server and intrusion detector 204 through a fifthcommunication channel 214. The IT Computer Infrastructure 203 can becomposed of a single or multiple computers and/or servers. The ITComputer Infrastructure 203 also provides the framework that thebusiness uses to operate. Moreover, any of the aforementionedcommunications channels would encompass wireless lines, packet switchedchannels, direct communication channels, and any combination of thethree. Furthermore, any of the aforementioned communication channels maybe coupled to each component through multiple communications channels ora single communication, as shown in FIG. 2.

The server and intrusion detector 204 monitors the IT ComputerInfrastructure 203. The server and intrusion detector 204 is coupled tothe IT Computer Infrastructure 203 through the fifth communicationchannel 214. Also, the server and intrusion detector 204 is coupled tothe false positive/true positive detector 205 through a sixthcommunication channel 215. The server and intrusion detector monitorsactual usage and attacks on the IT Computer Infrastructure 203 andgenerates network intrusion reports. Also, the server and intrusiondetector 204 can relay comparative data from the false positive/truepositive detector 205 to the IT Computer Infrastructure 203 to refinethe semantic cluster analyses. Moreover, any of the aforementionedcommunications channels would encompass wireless lines, packet switchedchannels, direct communication channels, and any combination of thethree. Furthermore, any of the aforementioned communication channels maybe coupled to each component through multiple communications channels ora single communication, as shown in FIG. 2.

The false positive/true positive detector 205 is an updating componentthat increases the accuracy of threat assessment. The falsepositive/true positive detector 205 is coupled to the network scannerthrough the fourth communication channel 213. Also, the falsepositive/true positive detector 205 is coupled to the server andintrusion detector through the sixth communication channel 215. Thefalse positive/true positive detector 205 compares the data generatedfrom the network scanner 213 and the server and intrusion detector 204to determine differentiate identified threats determined to be falsepositive from identified threats determined to be true positive. Oncethe differentiation of threats has been accomplished, the threats areprioritized and the defensive software of the IT Computer Infrastructureis updated. The method of threat analysis used by the falsepositive/true positive detector 205 is detailed below and in flow chartof FIG. 3. Moreover, any of the aforementioned communications channelswould encompass wireless links, packet switched channels, circuitswitched or direct communication channels, any other channel ofinformation transfer, as well as any combination of such channels.Furthermore, any of the aforementioned communication channels may becoupled to each component through multiple communications channels or asingle communication, as shown in FIG. 2.

Referring to FIG. 3, the reference numeral 300 generally designates aflow chart depicting the method of distinguishing relevant securitythreats.

In step 301, the network intrusion detection devices are audited. Thesystem 200 of FIG. 2 is enabled to monitor a variety of network scanningdevices, such as the network scanner 202 of FIG. 2. The network scanner202 of FIG. 2 performs threat assessment of the weakness of thedefensive structure of the IT Computer Infrastructure 202 of FIG. 2. Thefalse positive/true positive detector 205 of FIG. 2 audits the resultsof the network scanner 203 of FIG. 2 in order to obtain all possiblethreats determined through the threat assessment.

In step 302, the network intrusion reports are retrieved. The server andintrusion detector 204 of FIG. 2 makes actual measurements of intrusionsand security lapses. From the monitoring of the system 200 of FIG. 2,the server and intrusion detector 204 of FIG. 2 generates a networkintrusion report and forwards the report to the false positive/truepositive detector 205 of FIG. 2.

In step 303, 304, and 305, the network intrusion report and the threatassessment are compared. The false positive/true positive detector 205of FIG. 2 performs the comparison. By making the comparison, the falsepositive/true positive detector 205 of FIG. 2 can determine which of theassessed threats are actual threats and which assessed threats arebenign. The false positive/true positive detector 205 of FIG. 2 then canlabel an assessed threat as false positive, in step 304, if the assessedthreat is benign. Also, the false positive/true positive detector 205 ofFIG. 2 can label an assessed threat as true positive, in step 305, ifthe assessed threat is an actual threat.

In steps 306, 307, and 308, the semantic clustering is refined. Thedefensive algorithm of the IT Computer Infrastructure 203 of FIG. 2receives the labeled assessed threats in real-time from the falsepositive/true positive detector 205 of FIG. 2. The precise labelingallows for defensive algorithm to rapidly update the semantic clusteringcomprises the defensive algorithm to allow benign usages that may havebeen previously determined to, falsely, be actual security risks. Also,the true positives are sorted by size, in step 307, and are prioritizedaccording to user defined priorities, in step 308. The organization oftrue positive security threats allows for better defense of the ITComputer Infrastructure 203 of FIG. 2. Therefore, the improved techniqueof FIG. 3 reduces the size of the pattern space and identifies potentialthreats without trigger to many false instances.

It will further be understood from the foregoing description thatvarious modifications and changes may be made in the preferredembodiment of the present invention without departing from its truespirit. This description is intended for purposes of illustration onlyand should not be construed in a limiting sense. The scope of thisinvention should be limited only by the language of the followingclaims.

Having thus described the present invention by reference to certain ofits preferred embodiments, it is noted that the embodiments disclosedare illustrative rather than limiting in nature and that a wide range ofvariations, modifications, changes, and substitutions are contemplatedin the foregoing disclosure and, in some instances, some features: ofthe present invention may be employed without a corresponding use of theother features. Many such variations and modifications may be considereddesirable by those skilled in the art based upon a review of theforegoing description of preferred embodiments. Accordingly, it isappropriate that the appended claims be construed broadly and in amanner consistent with the scope of the invention.

1. A method for determining computer security threats, comprising:obtaining a possible intrusions report having indicia of a plurality ofpossible network intrusions; retrieving an actual intrusions reporthaving indicia of at least one actual intrusion from a security network,wherein the security network is at least configured to utilize at leastone taxonomy; comparing the possible intrusion reports with the actualintrusion reports to determine one or more false positives and one ormore true positives; and updating the at least one taxonomy with atleast one of the false positives and at least one of the true positives.2. The method of claim 1, wherein the step of comparing furthercomprises: labeling indicia of at least one possible network intrusionof a plurality of possible network intrusions as a false positive whenat least one actual intrusion counterpart has not occurred; and labelingindicia of the at least one possible network intrusion of the pluralityof possible network intrusions as true positive when at least one actualintrusion counterpart has occurred.
 3. The method of claim 1, whereinthe updating the at least one taxonomy further comprises sorting the atleast one possible network intrusion of the plurality of networkintrusions labeled as true positive.
 4. The method of claim 1, whereinthe updating the at least one taxonomy further comprises prioritizingthe at least one possible network intrusion of the plurality of networkintrusions labeled as true positive.
 5. An apparatus for determiningcomputer security threats, comprising: means for obtaining a possibleintrusions report having indicia of a plurality of possible networkintrusions; means for retrieving an actual intrusions report havingindicia of at least one actual intrusion from a security network,wherein the security network is at least configured to utilize at leastone taxonomy; means for comparing the possible intrusion reports withthe actual intrusion reports to determine one or more false positivesand one or more true positives; and means for updating the at least onetaxonomy with at least one of the false positives and at least one ofthe true positives.
 6. The apparatus of claim 5, wherein means forcomparing further comprises: means for labeling indicia of at least onepossible network intrusion of a plurality of possible network intrusionsas a false positive when at least one actual intrusion counterpart hasnot occurred; and means for labeling indicia of the at least onepossible network intrusion of the plurality of possible networkintrusions as true positive when at least one actual intrusioncounterpart has occurred.
 7. The apparatus of claim 5, wherein the meansfor updating the at least one taxonomy further comprises means forsorting the at least one possible network intrusion of the plurality ofnetwork intrusions labeled as true positive.
 8. The apparatus of claim5, wherein the means for updating the at least one taxonomy furthercomprises means for prioritizing the at least one possible networkintrusion of the plurality of network intrusions labeled as truepositive.
 9. A computer program product for determining computersecurity threats, the computer program product having a medium with acomputer product embodied thereon, the computer program comprising:computer code for obtaining a possible intrusions report having indiciaof a plurality of possible network intrusions; computer code forretrieving an actual intrusions report having indicia of at least oneactual intrusion from a security network, wherein the security networkis at least configured to utilize at least one taxonomy; computer codefor comparing the possible intrusion reports with the actual intrusionreports to determine one or more false positives and one or more truepositives; and computer code for updating the at least one taxonomy withat least one of the false positives and at least one of the truepositives.
 10. The computer program product of claim 9, wherein computercode for comparing further comprises: computer code for labeling indiciaof at least one possible network intrusion of a plurality of possiblenetwork intrusions as a false positive when at least one actualintrusion counterpart has not occurred; and computer code for labelingindicia of the at least one possible network intrusion of the pluralityof possible network intrusions as true positive when at least one actualintrusion counterpart has occurred.
 11. The computer program product ofclaim 9, wherein the computer code for updating the at least onetaxonomy further comprises a computer program product for sorting the atleast one possible network intrusion of the plurality of networkintrusions labeled as true positive.
 12. The computer program product ofclaim 9, wherein the computer code for updating the at least onetaxonomy further comprises a computer program product for prioritizingthe at least one possible network intrusion of the plurality of networkintrusions labeled as true positive.
 13. A processor for determiningcomputer security threats, the processor including a computer programcomprising: computer code for obtaining a possible intrusions reporthaving indicia of a plurality of possible network intrusions; computercode for retrieving an actual intrusions report having indicia of atleast one actual intrusion from a security network, wherein the securitynetwork is at least configured to utilize at least one taxonomy;computer code for comparing the possible intrusion reports with theactual intrusion reports to determine one or more false positives andone or more true positives; and computer code for updating the at leastone taxonomy with at least one of the false positives and at least oneof the true positives.
 14. The computer program code of claim 13,wherein computer code for comparing further comprises: computer code forlabeling indicia of at least one possible network intrusion of aplurality of possible network intrusions as a false positive when atleast one actual intrusion counterpart has not occurred; and computercode for labeling indicia of the at least one possible network intrusionof the plurality of possible network intrusions as true positive when atleast one actual intrusion counterpart has occurred.
 15. The computerprogram code of claim 13, wherein the computer code for updating the atleast one taxonomy further comprises a computer program product forsorting the at least one possible network intrusion of the plurality ofnetwork intrusions labeled as true positive.
 16. The computer programcode of claim 13, wherein the computer code for updating the at leastone taxonomy further comprises a computer program product forprioritizing the at least one possible network intrusion of theplurality of network intrusions labeled as true positive.
 17. Anapparatus for determining computer security threats at least coupled toan Information Technology (IT) infrastructure, comprising: a networkscanner, wherein the network scanner at least utilizes at least onetaxonomy to determine at least one possible intrusion; an intrusiondetector, wherein the intrusion detector at least detects at least oneactual intrusion; and false-positive/true-positive (FPTP) detector,wherein the FPTP detector at least compares the at least one possibleintrusion with the at least one actual intrusion in order to update theat least one taxonomy.
 18. The apparatus of claim 17, wherein the FPTPdetector further is at least configured to label the at least onepossible intrusion as false-positive or true positive.
 19. The apparatusof claim 18, wherein the FPTP detector is at least configured to sortpossible intrusions labeled as true positive.
 20. The apparatus of claim18, wherein the FPTP detector is at least configured to prioritizepossible intrusions labeled as true positive.